Published on
1 August 2024
Under the category
In our latest article, Rebecca Grant, Aurora’s Global Business Manager, unpacks the new Digital Operational Resilience Act (and attempts to make a fairly dry topic a slightly lighter read).
Are you ready to embark on your DORA adventure?
Diving into DORA: The Regulatory Explorer's Guide
Meet the Digital Operational Resilience Act, or as we like to call it, DORA. No, it’s not the adventurous cartoon character with a monkey sidekick, but it’s got its own kind of excitement – if you’re into regulatory frameworks, that is. Set to go live in January 2025, DORA is the EU's shiny new armour against cyber-attacks and digital mishaps. It's here to ensure financial institutions can withstand, respond to, and recover from ICT-related chaos. Think of it as a digital knight in slightly less shining, but very serious, armour.
What's the Deal with CLM and DORA?
Before you start envisioning Dora the Explorer with a compliance checklist, let’s break down what this means for Client Lifecycle Management (CLM) and financial institutions in the UK and EU.
Back in 2021, the UK's FCA and PRA launched their "Joint Policy Statement on enhancing operational resilience in the financial sector." This was kind of like the UK's personal training regime for financial institutions, focusing on high-level principles and making sure they can handle disruptions without breaking a sweat. Think yoga for bankers – finding their zen while identifying key business operations and setting disruption tolerances.
Enter DORA: The EU’s Compliance Commander
DORA, on the other hand, is more like the EU’s boot camp for financial institutions, focusing specifically on ICT risks. It’s a strict, rules-based regime that covers everything from ICT risk management to incident reporting, resilience testing, third-party risk management, and information sharing. It’s like a regulatory Swiss Army knife, designed to cut through any digital disaster.
Although DORA doesn't apply directly to post-Brexit UK, any UK organization dealing with the EU will need to play by these rules. So, if you're doing business across the Channel, better start gathering your due diligence info – it's compliance season!
Who Needs to Mind DORA?
DORA's not picky – it’s got a wide circle of friends it wants to keep in line:
- Financial Institutions: Banks, insurance companies, investment firms – if money’s your game, DORA's your name.
- ICT Service Providers: If you’re providing tech to the financial sector, welcome to DORA’s world.
- Market Infrastructure Providers: Stock exchanges and clearinghouses, get your compliance hats on.
- Third-party Providers: If you supply ICT services to financial institutions, you’re in the mix too.
- Outsourcing Providers, Fintech, and RegTech companies: Yup, you guessed it, DORA’s got its eye on you as well.
In short, if you’re anywhere near the financial playground, DORA wants to make sure you’re playing nice.
The DORA Due Diligence Dance
So, what kind of homework is DORA assigning? Here’s a peek into the due diligence checklist:
- Security Measures: Think cybersecurity policies, technical controls, and compliance certifications. Basically, all the things that keep the digital baddies at bay.
- Governance and Accountability: Organizational structure and board oversight – DORA wants to know who’s steering the ship.
- Employee Training and Awareness: Training programs and awareness initiatives. Get your staff in the know and on their toes.
- Regulatory Compliance: Regulatory history and compliance monitoring. DORA’s digging into your past to secure your future.
- Information Sharing and Coordination: Threat intelligence sharing and incident coordination. It’s all about teamwork – no lone wolves here.
- Audit and Monitoring Capabilities: Internal audits and monitoring tools. Think of it as your financial health checkup.
Mastering Client and Supplier Due Diligence: The Fun Checklist
Training and Education
- Diligence 101: Make sure everyone knows the basics of due diligence for both clients and suppliers. Quick, fun training sessions are key.
Keeping Up with the News
- Stay Updated: Follow updates on due diligence regulations like they’re the latest gossip. Stay in the loop to avoid surprises.
Integrating Risk Management
- Risk Radar: Add risk assessments to your client and supplier onboarding processes. Think of it as a safety check.
- Deep Dive: For high-risk clients and suppliers, dig deeper into their background and history.
Team Up!
- Collab with Risk Team: Keep a solid chat going with your risk management team. Share insights and stay on top of risks for both clients and suppliers.
- Joint Ventures: Do risk assessments together – it’s more fun and thorough.
Data Collection and Monitoring
- Ask the Right Questions: Update your forms to include questions about ICT risk factors for both clients and suppliers.
- Eyes on Everyone: Set up automatic monitoring to keep an eye on risk profiles for clients and suppliers.
Policy and Procedure Updates
- Policy Refresh: Update your onboarding policies to align with due diligence requirements. Cover all risk angles.
- Document Everything: Keep detailed records of all your ICT risk checks and updates.
Compliance and Reporting
- Regular Checkups: Ensure all clients and suppliers meet due diligence standards.
- Incident Reporting: Have a plan to report any suspicious activities to the right authorities.
Training and Awareness
- Train Your Team: Regularly remind your team about due diligence, risks, and best practices for both clients and suppliers.
- Teach Clients and Suppliers: Share the importance of due diligence with your clients and suppliers – they need to know the drill too.
Leveraging Tech
- Automate It: Use tech tools to gather and analyse risk data from clients and suppliers. Make the process smooth and quick.
- Risk Intelligence: Use risk intelligence platforms to stay ahead of new risks for both clients and suppliers.
Regular Review and Improvement
- Audit Time: Regularly audit your processes to find and fix any issues.
- Feedback is Gold: Continuously improve based on audits and new insights.
Contracts and Agreements
- Clause it Up: Add specific clauses to your agreements with clients and suppliers that address ICT risk management and due diligence.
- Clear Agreements: Set clear terms for ICT risk management. Make sure there are consequences for non-compliance.
Wrapping Up
So, there you have it, folks – DORA in a nutshell. No high-octane adventures or catchy theme songs, but plenty of crucial compliance steps to keep financial institutions secure and resilient in the digital age. Get ready to embrace your inner regulatory explorer and navigate the wild world of financial compliance with DORA leading the way. And remember, this is one adventure where forgetting your map (or your due diligence) isn’t an option!